Re: splunk for windows infrastructure problem

hichem_khalfi · ‎02-27-2022

Hello
please I will ask several questions and thank you for taking step by step because I am a student and this is my first time using splunk enterprise:
I want to monitor my active directory I found the application "splunk for windows infrastructure"

I have successfully configured add on Splunk_TA_microsoft_ad on the portal.

of course these 2 add ons exist in C:\Program Files\SplunkUniversalForwarder\etc\apps on my active directory server
for licensing reasons I only enabled index [WinEventLog://Security] for the input of the add on Splunk_TA

[WinEventLog://Security]
disabled = 0
start_from oldest
current_only = 0
evt_resolve_ad_obj = 1
Interval checkpoint = 5
whitelist=
4724,4725,4726,4624,4625,4720,4732,4722,4738,4742,4729,4715,4719
blacklist1 = EventCode="4662" Message="Object Type: (?!
\s*group Policy Container)"
blacklist2 = EventCode="566" Message="Object Type: (?!
\s*group PolicyContainer)"
renderXml=true

and I created the local folder from which I copied the input.con and app.conf files after modification.

but when I run the Splunk for windows infrastructure application I find no information: either the search is waiting for input or no results found.

I don't know what configuration I missed.
Of course, I deactivated the firewall carefully and when I do raw searches with search and reporting I got the information so the logs are sent from the server but there is a problem at the application level

If not, do you have another proposal for AD monitoring??

and thank you

hichem_khalfi · ‎02-28-2022

@SinghK @gcusello please i'm sorry

i'm trying to verify my job

how can i Tell the deployment server to reload its deployment configuration with powershell because i find only for linux method

 cd \Program Files\Splunk\bin
> .\splunk reload deploy-server

SinghK · ‎02-28-2022

run that from linux command line

you will be running that as splunk user

else you need to put in the complete path of you bin directory

/opt/splunk/bin/splunk reload deploy-server.

gcusello · ‎02-28-2022

Hi @hichem_khalfi,

this isn't a Powershell command, it's a Splunk CLI command that you can run on Windows opening a cmd session with Administrative grants (run as administrator).

This command is useful to force the deploy of new configurations, if you don't force it, it will be anyway deployed after few minutes.

Ciao.

Giuseppe

hichem_khalfi · ‎02-28-2022

ok thanks

i try to unistall all and i'm rebolt evrythink from the begin

i have an issue to deploy the TA_windows_AD, when i want to check the data with the command: host="myhost".....

i have nothing, i have only this notification :

Eventtype 'wineventlog_security' does not exist or is disabled

and this message :
Now skipping indexing of internal audit events, because the downstream queue is not accepting data. Will keep dropping events until data flow resumes. Review system health: ensure downstream indexing and/or forwarding are operating correctly.

@gcusello @SinghK i'm sorry

SinghK · ‎02-28-2022

In your inputs [WinEventLog://Security]

[WinEventLog://Security]

index= <your index name here>
disabled = 0
start_from oldest
current_only = 0
evt_resolve_ad_obj = 1
Interval checkpoint = 5
whitelist=
4724,4725,4726,4624,4625,4720,4732,4722,4738,4742,4729,4715,4719
blacklist1 = EventCode="4662" Message="Object Type: (?!
\s*group Policy Container)"
blacklist2 = EventCode="566" Message="Object Type: (?!
\s*group PolicyContainer)"
renderXml=true

Add index = your index name thats how it will know where to send data.

Then in search bar search your index

Index= your index and too should see the data.

hichem_khalfi · ‎02-28-2022

les informations sont indexés automatiquement sous index= main

quand je lance index= main source WinEventLog:Security.....je recois les evenements.

gcusello · ‎02-27-2022

Hi @hichem_khalfi,

at first, are you receiving other logs from that Forwarder?

you can check on Splunk server running the following search:

index=_internal host=your_host

if not, there a problem in log sending, you have to check:

the connection, running from CLI "telnet indexer_IP_address 9997",
the outputs.conf on your Forwarder.

if yes, you have to check the confioguration of your local inputs.conf, could you share it?

Did you restarted Splunk on Forwarder after inputs.conf update?

Ciao.

Giuseppe

hichem_khalfi · ‎02-28-2022

please i did a copy for all the configuration in a pdf file

check it

gcusello · ‎02-28-2022

Hi @hichem_khalfi,

configurations seem to be OK.

did you performed the other checks I asked'

Ciao.

Giuseppe

hichem_khalfi · ‎02-28-2022

oui oui c'est fait correctement

déjà je suis en train de faire quelques recherches brutes et je trouve les informations

gcusello · ‎02-28-2022

Hi @hichem_khalfi,

sorry if I continue to speak in english but I don't speak French.

Let me understand:

you have Splunk internal logs from that server, but you haven't in index=main the other events, is this correct?

Ciao.

Giuseppe

hichem_khalfi · ‎02-28-2022

for me when I do classic research through search and reporting, I can get results
index = main ......eventid.....source.....
I can have events with this method
but when I switch to the splunk for windows infrastructure application that its search codes are ready automatically I do not receive any information or event

gcusello · ‎02-28-2022

Hi @hichem_khalfi,

did you configured the App?

if I correctly remember (it's an archived App and I used it some years ago), it uses many lookups to generate executing searches during the initial setup phase.

Did you followed instructions at https://splunkbase.splunk.com/app/1680/#/details?

Ciao.

Giuseppe

hichem_khalfi · ‎02-28-2022

veuillez @gcusello @SinghK

j’ai lu dans cette url

Installer l’application Splunk pour l’infrastructure Windows sur la tête de recherche - Documentatio...

cela:

Ajoutez le rôle « winfra-admin » à l’utilisateur qui exécutera l’application sur la tête de recherche

Connectez-vous à Splunk Enterprise sur le déployeur.
Dans la barre système, cliquez sur Paramètres > Contrôles d’accès.
Cliquez sur Utilisateurs.
Cliquez sur l’utilisateur qui exécutera l’application. Splunk Enterprise affiche la page d’informations pour l’utilisateur.

mais je ne le trouve pas

SinghK · ‎02-28-2022

@hichem_khalfi I am sorry , but i do not understand French.

But for the question below they are just asking to assign winfra-admin role to a user. It could be any user.

So first thing to check is settings -->User and Authentication --> Roles and check if winfra-admin role exists. Only then you will be able to assign it to a user.

hichem_khalfi · ‎02-28-2022

exactly i c'ant fin it i dont know why

SinghK · ‎02-28-2022

Did you follow the install instructions from the link posted by @gcusello.

or if you did not can you just goto this link and or above one and verify if all is installed correctly.

https://docs.splunk.com/Documentation/MSApp/2.0.4/MSInfra/HowtodeploytheSplunkAppforWindowsInfrastru...

SinghK · ‎02-28-2022

Yeah, you will have to setup the app's searches as per your environment. update index details etc. in order for it to work properly.

hichem_khalfi · ‎02-28-2022

that is my problem, i d'ont know jow i do that

Splunk for Windows Infrastructure: Search has no information, it's waiting for input or no results found

administration

configuration

installation

Ajoutez le rôle « winfra-admin » à l’utilisateur qui exécutera l’application sur la tête de recherche

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?